Remote Function Patcher
Function Patcher
Technique Details
Description
The Remote Function Patcher technique involves modifying the start of a function in a remote process by inserting a RET instruction (0xC3 in x86, 0xC3 or 0xD65F03C0 in x64 ARM) at the function\\\’s entry point. This forces the function to return immediately upon being called, effectively disabling it.
Dependencies
windows.h
tlhelp32.h
tlhelp32.h
Mitigations
Since this technique modifies a function’s entry point by inserting a RET instruction, detection focuses on identifying unusual modifications in memory. Here are some effective ways to detect it:
1. Memory Scanning for Unexpected RET Instructions
Behavior: Critical functions should not start with a RET (0xC3 in x86, 0xC3 or 0xD65F03C0 in x64 ARM).
Detection: Periodically scan function entry points in process memory for unexpected RET instructions.
1. Memory Scanning for Unexpected RET Instructions
Behavior: Critical functions should not start with a RET (0xC3 in x86, 0xC3 or 0xD65F03C0 in x64 ARM).
Detection: Periodically scan function entry points in process memory for unexpected RET instructions.
📝 Add Note
Steps
– Find process ID by name
– Open handle to process
– Get base of remote module
– Get address of local function
– Calculate remote function address
– Patch remote function with shellcode
– Open handle to process
– Get base of remote module
– Get address of local function
– Calculate remote function address
– Patch remote function with shellcode
Code
- C++
- Rust
⚠️ Note: The Rust code examples shown here are not exhaustively tested in all environments or edge cases.
Proof of Concept
Leave a Reply
You must be logged in to post a comment.